From dc010ce45c9e8fb833a09d13bfc7266c7bfcf2e3 Mon Sep 17 00:00:00 2001 From: NachoEchevarria Date: Thu, 17 Oct 2024 15:40:32 +0200 Subject: [PATCH 1/6] update snapshots --- .../RASP/AspNetCore2Rasp.cs | 2 ++ .../RASP/AspNetCore5Rasp.cs | 2 ++ .../RASP/AspNetMvc5Rasp.cs | 3 ++- ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 1 + ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 1 + ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 1 + ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 1 + ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 2 +- ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 2 +- ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ...-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 2 +- ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 2 +- ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ...-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 1 + ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 1 + ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 1 + ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 1 + ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 2 +- ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 2 +- ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ...-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ...tLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt | 2 +- ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 2 +- ...l=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ...-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt | 2 +- ..._exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ...-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt | 2 ++ 40 files changed, 44 insertions(+), 21 deletions(-) diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs index d1cf69545051..4bd562b50d0e 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs @@ -7,6 +7,7 @@ #pragma warning disable SA1402 // File may only contain a single class #pragma warning disable SA1649 // File name must match first type name +using System.Collections.Generic; using System.Collections.Immutable; using System.Linq; using System.Threading.Tasks; @@ -46,6 +47,7 @@ public AspNetCore2Rasp(AspNetCoreTestFixture fixture, ITestOutputHelper outputHe EnableRasp(); SetSecurity(true); EnableIast(enableIast); + AddCookies(new Dictionary { { "cookie-key", "cookie-value" } }); SetEnvironmentVariable(ConfigurationKeys.Iast.IsIastDeduplicationEnabled, "false"); SetEnvironmentVariable(ConfigurationKeys.Iast.VulnerabilitiesPerRequest, "100"); SetEnvironmentVariable(ConfigurationKeys.Iast.RequestSampling, "100"); diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs index 9ea18fd4dcdb..a1fac676322a 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs @@ -8,6 +8,7 @@ #pragma warning disable SA1649 // File name must match first type name using System; +using System.Collections.Generic; using System.Collections.Immutable; using System.Linq; using System.Threading.Tasks; @@ -70,6 +71,7 @@ public AspNetCore5Rasp(AspNetCoreTestFixture fixture, ITestOutputHelper outputHe EnableRasp(); SetSecurity(true); EnableIast(enableIast); + AddCookies(new Dictionary { { "cookie-key", "cookie-value" } }); SetEnvironmentVariable(ConfigurationKeys.Iast.IsIastDeduplicationEnabled, "false"); SetEnvironmentVariable(ConfigurationKeys.Iast.VulnerabilitiesPerRequest, "100"); SetEnvironmentVariable(ConfigurationKeys.Iast.RequestSampling, "100"); diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs index b570130b7c0c..9721e869babe 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs @@ -8,10 +8,10 @@ #pragma warning disable SA1649 // File name must match first type name using System; +using System.Collections.Generic; using System.Collections.Immutable; using System.Linq; using System.Threading.Tasks; -using Datadog.Trace.AppSec; using Datadog.Trace.Iast.Telemetry; using Datadog.Trace.Security.IntegrationTests.IAST; using Datadog.Trace.TestHelpers; @@ -68,6 +68,7 @@ public AspNetMvc5RaspTests(IisFixture iisFixture, ITestOutputHelper output, bool EnableRasp(); SetSecurity(true); EnableIast(enableIast); + AddCookies(new Dictionary { { "cookie-key", "cookie-value" } }); EnableIastTelemetry((int)IastMetricsVerbosityLevel.Off); EnableEvidenceRedaction(false); SetEnvironmentVariable("DD_IAST_DEDUPLICATION_ENABLED", "false"); diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 73c0e376c390..26b698aacb66 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -49,6 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index bd5dcda965f6..5ae169f0f987 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -49,6 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 5acfb4cab87d..8bb276b8eab4 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -49,6 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 90c7e54a68aa..4d5d695ff0a6 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -49,6 +49,7 @@ span.kind: server, _dd.appsec.fp.http.header: hdr-0100000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index a44cdcb37fd7..04c4afbca9a1 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index c959892ca905..ab52965e5895 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index b464a6d4f104..1bc4b3bbccc1 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 0e18ab2951b2..a8d01b00b9af 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -50,6 +50,7 @@ span.kind: server, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index b07b2cca8b6c..beed3860b52b 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -26,7 +26,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index b3dc4cab0730..7e0d9e782422 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -49,7 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index e1dc0fa28d45..015b6a5e5712 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -49,7 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index 40d7c04869f1..4afd6d1d4182 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -26,7 +26,7 @@ _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 0ce1138260b9..8210d2460796 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -27,7 +27,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 617398f5083a..34b113fa4d44 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -27,7 +27,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index c7654d8c2135..b6606621d105 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -50,7 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 3fd6f683cee3..4eac5320bb9b 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -50,7 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index ab5c703e98cf..3ff869ca2a8f 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -27,7 +27,7 @@ _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index fff6aa5dc652..a05f48c269a0 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -28,7 +28,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 932b0cd1773d..e2e0ec79f501 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -49,6 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index a739ef5b7aa2..b6f04b35a421 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -49,6 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 9a8f71c4047a..42d5aea4d6f2 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -49,6 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 913672ee3875..e8f0de253c11 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -49,6 +49,7 @@ span.kind: server, _dd.appsec.fp.http.header: hdr-0100000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 0f1ce4968ca4..fefe1d18adbd 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index be8991b62403..4d2f4c7b6b0c 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index e6d566395b53..4a3e8a24c636 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index afa83f61ddd1..124f173695b0 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -50,6 +50,7 @@ span.kind: server, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 6939a7f4b4ac..f9f4c11c1c66 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -26,7 +26,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index c6c3dd624f5e..b93a9fd4ab43 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -49,7 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index d1fc34bc1f76..1e0409650c2e 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -49,7 +49,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index 4c81edc10ea7..75973110d1d3 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -26,7 +26,7 @@ _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 76ebfc9b14ec..4eae06cce5d5 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -27,7 +27,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 7c752621992e..73ca2cc8c538 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -27,7 +27,7 @@ _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index b48f891d85a6..e0ea205adb36 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -50,7 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 4991524a1f7f..f062e56c2a3c 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -50,7 +50,7 @@ _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index 46ddcfc74615..6711b13bd026 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -27,7 +27,7 @@ _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index d195932a7c64..6f54490b2886 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -28,7 +28,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, - _dd.appsec.fp.session: ssn----, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 104a200a9497..775f5c88bca8 100644 --- a/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -51,6 +51,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -175,6 +176,7 @@ _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet From 615aa0e9d19dedeb2fe6362f47f5ea84bac8fe3c Mon Sep 17 00:00:00 2001 From: NachoEchevarria Date: Thu, 17 Oct 2024 17:02:19 +0200 Subject: [PATCH 2/6] Refactor get headers and cookies --- .../Coordinator/SecurityCoordinator.Core.cs | 54 ++-------- .../SecurityCoordinator.Framework.cs | 45 +-------- .../AppSec/Coordinator/SecurityCoordinator.cs | 99 +++++++++++++++++-- 3 files changed, 101 insertions(+), 97 deletions(-) diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs index 4073118697eb..60b27d1dc241 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs @@ -8,7 +8,6 @@ #if !NETFRAMEWORK using System.Collections; using System.Collections.Generic; -using System.Linq; using Datadog.Trace.AppSec.Waf; using Datadog.Trace.Headers; using Datadog.Trace.Util.Http; @@ -45,35 +44,6 @@ private SecurityCoordinator(Security security, Span span, HttpTransport transpor internal static SecurityCoordinator Get(Security security, Span span, HttpTransport transport) => new(security, span, transport); - public static Dictionary ExtractHeadersFromRequest(IHeaderDictionary headers) - { - var headersDic = new Dictionary(headers.Keys.Count); - foreach (var k in headers.Keys) - { - var currentKey = k ?? string.Empty; - if (!currentKey.Equals("cookie", System.StringComparison.OrdinalIgnoreCase)) - { - currentKey = currentKey.ToLowerInvariant(); - var value = GetHeaderValueForWaf(headers[currentKey]); -#if NETCOREAPP - if (!headersDic.TryAdd(currentKey, value)) - { -#else - if (!headersDic.ContainsKey(currentKey)) - { - headersDic.Add(currentKey, value); - } - else - { -#endif - Log.Warning("Header {Key} couldn't be added as argument to the waf", currentKey); - } - } - } - - return headersDic; - } - private static object GetHeaderValueForWaf(StringValues value) { return (value.Count == 1 ? value[0] : value); @@ -109,23 +79,7 @@ private Dictionary GetBasicRequestArgsForWaf() { var request = _httpTransport.Context.Request; var headersDic = ExtractHeadersFromRequest(request.Headers); - - var cookiesDic = new Dictionary>(request.Cookies.Keys.Count); - for (var i = 0; i < request.Cookies.Count; i++) - { - var cookie = request.Cookies.ElementAt(i); - var currentKey = cookie.Key ?? string.Empty; - var keyExists = cookiesDic.TryGetValue(currentKey, out var value); - if (!keyExists) - { - cookiesDic.Add(currentKey, [cookie.Value ?? string.Empty]); - } - else - { - value?.Add(cookie.Value); - } - } - + var cookiesDic = ExtractCookiesFromRequest(request); var queryStringDic = new Dictionary>(request.Query.Count); // a query string like ?test&[$slice} only fills the key part in dotnetcore and in IIS it only fills the value part, it's been decided to make it a key always foreach (var kvp in request.Query) @@ -153,7 +107,11 @@ private Dictionary GetBasicRequestArgsForWaf() AddAddressIfDictionaryHasElements(AddressesConstants.RequestQuery, queryStringDic); AddAddressIfDictionaryHasElements(AddressesConstants.RequestHeaderNoCookies, headersDic); - AddAddressIfDictionaryHasElements(AddressesConstants.RequestCookies, cookiesDic); + + if (cookiesDic is not null) + { + AddAddressIfDictionaryHasElements(AddressesConstants.RequestCookies, cookiesDic); + } return addressesDictionary; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs index 666ee51b3e3e..6498c3a9017c 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs @@ -394,50 +394,9 @@ public Dictionary GetBasicRequestArgsForWaf() { var request = _httpTransport.Context.Request; var headers = RequestDataHelper.GetHeaders(request); - Dictionary? headersDic = null; + var headersDic = ExtractHeadersFromRequest(request.Headers); - if (headers is not null) - { - var headerKeys = headers.Keys; - headersDic = new Dictionary(headerKeys.Count); - foreach (string originalKey in headerKeys) - { - var keyForDictionary = originalKey?.ToLowerInvariant() ?? string.Empty; - if (keyForDictionary != "cookie") - { - if (!headersDic.ContainsKey(keyForDictionary)) - { - headersDic.Add(keyForDictionary, GetHeaderValueForWaf(headers.GetValues(originalKey))); - } - else - { - Log.Warning("Header {Key} couldn't be added as argument to the waf", keyForDictionary); - } - } - } - } - - var cookies = RequestDataHelper.GetCookies(request); - Dictionary>? cookiesDic = null; - - if (cookies != null) - { - cookiesDic = new(cookies.AllKeys.Length); - for (var i = 0; i < cookies.Count; i++) - { - var cookie = cookies[i]; - var keyForDictionary = cookie.Name ?? string.Empty; - var keyExists = cookiesDic.TryGetValue(keyForDictionary, out var value); - if (!keyExists) - { - cookiesDic.Add(keyForDictionary, new List { cookie.Value ?? string.Empty }); - } - else - { - value.Add(cookie.Value); - } - } - } + var cookiesDic = ExtractCookiesFromRequest(request); var queryString = RequestDataHelper.GetQueryString(request); Dictionary? queryDic = null; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index 4a235a85e0d6..21e300eff4be 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -7,18 +7,20 @@ #pragma warning disable CS0282 using System; using System.Collections.Generic; -using System.IO; -using System.IO.Compression; using System.Text; using Datadog.Trace.AppSec.Waf; -using Datadog.Trace.AppSec.Waf.ReturnTypes.Managed; -using Datadog.Trace.ExtensionMethods; using Datadog.Trace.Logging; using Datadog.Trace.Telemetry; using Datadog.Trace.Telemetry.Metrics; -using Datadog.Trace.Vendors.MessagePack; -using Datadog.Trace.Vendors.Newtonsoft.Json; +using Datadog.Trace.Util; using Datadog.Trace.Vendors.Serilog.Events; +#if !NETFRAMEWORK +using System.Linq; +using Microsoft.AspNetCore.Http; +#else +using System.Collections.Specialized; +using System.Web; +#endif namespace Datadog.Trace.AppSec.Coordinator; @@ -165,5 +167,90 @@ public void AddResponseHeadersToSpanAndCleanup() _httpTransport.DisposeAdditiveContext(); } + internal static Dictionary? ExtractCookiesFromRequest(HttpRequest request) + { + var cookies = RequestDataHelper.GetCookies(request); + Dictionary? cookiesDic = null; + + if (cookies != null) + { + cookiesDic = new(cookies.Keys.Count); + for (var i = 0; i < cookies.Count; i++) + { +#if NETCOREAPP || NETSTANDARD + var cookie = cookies.ElementAt(i); + var keyForDictionary = cookie.Key ?? string.Empty; +#else + var cookie = cookies[i]; + var keyForDictionary = cookie.Name ?? string.Empty; +#endif + var keyExists = cookiesDic.TryGetValue(keyForDictionary, out var value); + + if (!keyExists) + { + cookiesDic.Add(keyForDictionary, cookie.Value ?? string.Empty); + } + else + { + if (value is string) + { + cookiesDic[keyForDictionary] = new List { (string)value, cookie.Value ?? string.Empty }; + } + else + { + if (value is List valueList) + { + valueList.Add(cookie.Value ?? string.Empty); + } + else + { + Log.Warning("Cookie {Key} couldn't be added as argument to the waf", keyForDictionary); + } + } + } + } + } + + return cookiesDic; + } + +#if NETFRAMEWORK + internal static Dictionary ExtractHeadersFromRequest(NameValueCollection headers) +#else + internal static Dictionary ExtractHeadersFromRequest(IHeaderDictionary headers) +#endif + { + var headersDic = new Dictionary(headers.Keys.Count); + foreach (string key in headers.Keys) + { + var currentKey = key ?? string.Empty; + if (!currentKey.Equals("cookie", System.StringComparison.OrdinalIgnoreCase)) + { + currentKey = currentKey.ToLowerInvariant(); + +#if NETCOREAPP || NETSTANDARD + var value = GetHeaderValueForWaf(headers[currentKey]); +#else + var value = GetHeaderValueForWaf(headers.GetValues(currentKey)); +#endif +#if NETCOREAPP + if (!headersDic.TryAdd(currentKey, value)) + { +#else + if (!headersDic.ContainsKey(currentKey)) + { + headersDic.Add(currentKey, value); + } + else + { +#endif + Log.Warning("Header {Key} couldn't be added as argument to the waf", currentKey); + } + } + } + + return headersDic; + } + private static Span TryGetRoot(Span span) => span.Context.TraceContext?.RootSpan ?? span; } From f26fa7b7b9ab92fe655b401ce4f045303fe1a9fb Mon Sep 17 00:00:00 2001 From: NachoEchevarria Date: Fri, 18 Oct 2024 11:53:54 +0200 Subject: [PATCH 3/6] Fix snapshots. Refactor securitycoordinator. --- .../AppSec/Coordinator/SecurityCoordinator.cs | 26 +++++++------------ ...e.__scenario=scan-empty-model.verified.txt | 2 +- ...e.__scenario=scan-with-attack.verified.txt | 2 +- ..._scenario=scan-without-attack.verified.txt | 2 +- ...e.__scenario=scan-empty-model.verified.txt | 2 +- ...e.__scenario=scan-with-attack.verified.txt | 2 +- ..._scenario=scan-without-attack.verified.txt | 2 +- 7 files changed, 16 insertions(+), 22 deletions(-) diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index 21e300eff4be..0bf5a4d48f50 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -167,14 +167,13 @@ public void AddResponseHeadersToSpanAndCleanup() _httpTransport.DisposeAdditiveContext(); } - internal static Dictionary? ExtractCookiesFromRequest(HttpRequest request) + internal static Dictionary ExtractCookiesFromRequest(HttpRequest request) { var cookies = RequestDataHelper.GetCookies(request); - Dictionary? cookiesDic = null; + var cookiesDic = new Dictionary(); if (cookies != null) { - cookiesDic = new(cookies.Keys.Count); for (var i = 0; i < cookies.Count; i++) { #if NETCOREAPP || NETSTANDARD @@ -184,28 +183,23 @@ public void AddResponseHeadersToSpanAndCleanup() var cookie = cookies[i]; var keyForDictionary = cookie.Name ?? string.Empty; #endif - var keyExists = cookiesDic.TryGetValue(keyForDictionary, out var value); - - if (!keyExists) + if (!cookiesDic.TryGetValue(keyForDictionary, out var value)) { cookiesDic.Add(keyForDictionary, cookie.Value ?? string.Empty); } else { - if (value is string) + if (value is string stringValue) + { + cookiesDic[keyForDictionary] = new List { stringValue, cookie.Value ?? string.Empty }; + } + else if (value is List valueList) { - cookiesDic[keyForDictionary] = new List { (string)value, cookie.Value ?? string.Empty }; + valueList.Add(cookie.Value ?? string.Empty); } else { - if (value is List valueList) - { - valueList.Add(cookie.Value ?? string.Empty); - } - else - { - Log.Warning("Cookie {Key} couldn't be added as argument to the waf", keyForDictionary); - } + Log.Warning("Cookie {Key} couldn't be added as argument to the waf", keyForDictionary); } } } diff --git a/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt b/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt index d45bfabcef68..f10472279e9a 100644 --- a/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt +++ b/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt @@ -40,7 +40,7 @@ runtime-id: Guid_1, span.kind: server, _dd.appsec.s.req.body: [{"model":[{"Dog":[4],"Dog2":[8],"Dog3":[16],"Dog4":[16],"Dog5":[1]}]}], - _dd.appsec.s.req.cookies: [{"cookie-key":[[[8]],{"len":1}]}], + _dd.appsec.s.req.cookies: [{"cookie-key":[8]}], _dd.appsec.s.req.headers: [{"content-length":[8],"content-type":[8],"expect":[8],"host":[8],"traceparent":[8],"tracestate":[8],"user-agent":[8],"x-datadog-parent-id":[8],"x-datadog-sampling-priority":[8],"x-datadog-tags":[8],"x-datadog-trace-id":[8],"x-forwarded-for":[8]}], _dd.appsec.s.req.params: [{"MS_SubRoutes":[[[{}]],{"len":1}]}], _dd.appsec.s.req.query: [{}], diff --git a/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt b/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt index bff3f4aea3df..28e691f7f077 100644 --- a/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt +++ b/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt @@ -51,7 +51,7 @@ span.kind: server, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-932-160","name":"Remote Command Execution: Unix Shell Code Found","tags":{"category":"attack_attempt","type":"command_injection"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.body","highlight":["dev/zero"],"key_path":["model","Dog2"],"value":"dev/zero"}]}]}]}, _dd.appsec.s.req.body: [{"model":[{"Dog":[4],"Dog2":[8],"Dog3":[16],"Dog4":[16],"Dog5":[1]}]}], - _dd.appsec.s.req.cookies: [{"cookie-key":[[[8]],{"len":1}]}], + _dd.appsec.s.req.cookies: [{"cookie-key":[8]}], _dd.appsec.s.req.headers: [{"content-length":[8],"content-type":[8],"expect":[8],"host":[8],"traceparent":[8],"tracestate":[8],"user-agent":[8],"x-datadog-parent-id":[8],"x-datadog-sampling-priority":[8],"x-datadog-tags":[8],"x-datadog-trace-id":[8],"x-forwarded-for":[8]}], _dd.appsec.s.req.params: [{"MS_SubRoutes":[[[{}]],{"len":1}]}], _dd.appsec.s.req.query: [{}], diff --git a/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt b/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt index 23f61bee8d5f..22d314fce2f1 100644 --- a/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt +++ b/tracer/test/snapshots/Security.AspNetFxWebApiApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt @@ -40,7 +40,7 @@ runtime-id: Guid_1, span.kind: server, _dd.appsec.s.req.body: [{"model":[{"Dog":[4],"Dog2":[8],"Dog3":[16],"Dog4":[16],"Dog5":[1]}]}], - _dd.appsec.s.req.cookies: [{"cookie-key":[[[8]],{"len":1}]}], + _dd.appsec.s.req.cookies: [{"cookie-key":[8]}], _dd.appsec.s.req.headers: [{"content-length":[8],"content-type":[8],"expect":[8],"host":[8],"traceparent":[8],"tracestate":[8],"user-agent":[8],"x-datadog-parent-id":[8],"x-datadog-sampling-priority":[8],"x-datadog-tags":[8],"x-datadog-trace-id":[8],"x-forwarded-for":[8]}], _dd.appsec.s.req.params: [{"MS_SubRoutes":[[[{}]],{"len":1}]}], _dd.appsec.s.req.query: [{}], diff --git a/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt index 2c0a907044b3..6d9973a5cf1f 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-empty-model.verified.txt @@ -44,7 +44,7 @@ runtime-id: Guid_1, span.kind: server, _dd.appsec.s.req.body: [{"model":[{"Dog":[4],"Dog2":[8],"Dog3":[16],"Dog4":[16],"Dog5":[1]}]}], - _dd.appsec.s.req.cookies: [{"cookie-key":[[[8]],{"len":1}]}], + _dd.appsec.s.req.cookies: [{"cookie-key":[8]}], _dd.appsec.s.req.headers: [{"content-length":[8],"content-type":[8],"expect":[8],"host":[8],"traceparent":[8],"tracestate":[8],"user-agent":[8],"x-datadog-parent-id":[8],"x-datadog-sampling-priority":[8],"x-datadog-tags":[8],"x-datadog-trace-id":[8],"x-forwarded-for":[8]}], _dd.appsec.s.req.params: [{"action":[8],"controller":[8]}], _dd.appsec.s.req.query: [{}], diff --git a/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt index 28ae31830bce..0f85ab7340df 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-with-attack.verified.txt @@ -54,7 +54,7 @@ span.kind: server, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-932-160","name":"Remote Command Execution: Unix Shell Code Found","tags":{"category":"attack_attempt","type":"command_injection"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.body","highlight":["dev/zero"],"key_path":["model","Dog2"],"value":"dev/zero"}]}]}]}, _dd.appsec.s.req.body: [{"model":[{"Dog":[4],"Dog2":[8],"Dog3":[16],"Dog4":[16],"Dog5":[1]}]}], - _dd.appsec.s.req.cookies: [{"cookie-key":[[[8]],{"len":1}]}], + _dd.appsec.s.req.cookies: [{"cookie-key":[8]}], _dd.appsec.s.req.headers: [{"content-length":[8],"content-type":[8],"expect":[8],"host":[8],"traceparent":[8],"tracestate":[8],"user-agent":[8],"x-datadog-parent-id":[8],"x-datadog-sampling-priority":[8],"x-datadog-tags":[8],"x-datadog-trace-id":[8],"x-forwarded-for":[8]}], _dd.appsec.s.req.params: [{"action":[8],"controller":[8],"id":[8]}], _dd.appsec.s.req.query: [{}], diff --git a/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt index 0d2f0c1d83b9..0554c39c2c7f 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5ApiSecurity.enableApiSecurity=True.__scenario=scan-without-attack.verified.txt @@ -44,7 +44,7 @@ runtime-id: Guid_1, span.kind: server, _dd.appsec.s.req.body: [{"model":[{"Dog":[4],"Dog2":[8],"Dog3":[16],"Dog4":[16],"Dog5":[1]}]}], - _dd.appsec.s.req.cookies: [{"cookie-key":[[[8]],{"len":1}]}], + _dd.appsec.s.req.cookies: [{"cookie-key":[8]}], _dd.appsec.s.req.headers: [{"content-length":[8],"content-type":[8],"expect":[8],"host":[8],"traceparent":[8],"tracestate":[8],"user-agent":[8],"x-datadog-parent-id":[8],"x-datadog-sampling-priority":[8],"x-datadog-tags":[8],"x-datadog-trace-id":[8],"x-forwarded-for":[8]}], _dd.appsec.s.req.params: [{"action":[8],"controller":[8],"id":[8]}], _dd.appsec.s.req.query: [{}], From 64b49cdd29e21bed98f074020d86a1dae652abe4 Mon Sep 17 00:00:00 2001 From: NachoEchevarria Date: Mon, 21 Oct 2024 12:32:10 +0200 Subject: [PATCH 4/6] Check for null cookies keys/values --- .../AppSec/Coordinator/SecurityCoordinator.cs | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index 0bf5a4d48f50..2a4000e7e2a7 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -178,28 +178,31 @@ internal static Dictionary ExtractCookiesFromRequest(HttpRequest { #if NETCOREAPP || NETSTANDARD var cookie = cookies.ElementAt(i); - var keyForDictionary = cookie.Key ?? string.Empty; + var keyForDictionary = cookie.Key; #else var cookie = cookies[i]; - var keyForDictionary = cookie.Name ?? string.Empty; + var keyForDictionary = cookie.Name; #endif - if (!cookiesDic.TryGetValue(keyForDictionary, out var value)) + if (cookie.Value is not null && keyForDictionary is not null) { - cookiesDic.Add(keyForDictionary, cookie.Value ?? string.Empty); - } - else - { - if (value is string stringValue) - { - cookiesDic[keyForDictionary] = new List { stringValue, cookie.Value ?? string.Empty }; - } - else if (value is List valueList) + if (!cookiesDic.TryGetValue(keyForDictionary, out var value)) { - valueList.Add(cookie.Value ?? string.Empty); + cookiesDic.Add(keyForDictionary, cookie.Value); } else { - Log.Warning("Cookie {Key} couldn't be added as argument to the waf", keyForDictionary); + if (value is string stringValue) + { + cookiesDic[keyForDictionary] = new List { stringValue, cookie.Value }; + } + else if (value is List valueList) + { + valueList.Add(cookie.Value); + } + else + { + Log.Warning("Cookie {Key} couldn't be added as argument to the waf", keyForDictionary); + } } } } From be9408adc7efcf619fe03b7a9e4c3e38598cca37 Mon Sep 17 00:00:00 2001 From: NachoEchevarria Date: Mon, 21 Oct 2024 12:36:10 +0200 Subject: [PATCH 5/6] Return null when cookies are not present --- .../Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index 2a4000e7e2a7..66b078938fdb 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -167,13 +167,13 @@ public void AddResponseHeadersToSpanAndCleanup() _httpTransport.DisposeAdditiveContext(); } - internal static Dictionary ExtractCookiesFromRequest(HttpRequest request) + internal static Dictionary? ExtractCookiesFromRequest(HttpRequest request) { var cookies = RequestDataHelper.GetCookies(request); - var cookiesDic = new Dictionary(); if (cookies != null) { + var cookiesDic = new Dictionary(); for (var i = 0; i < cookies.Count; i++) { #if NETCOREAPP || NETSTANDARD @@ -208,7 +208,7 @@ internal static Dictionary ExtractCookiesFromRequest(HttpRequest } } - return cookiesDic; + return null; } #if NETFRAMEWORK From 85635e6dfe0d5bed00271950b63bba70b097962b Mon Sep 17 00:00:00 2001 From: NachoEchevarria Date: Mon, 21 Oct 2024 15:39:48 +0200 Subject: [PATCH 6/6] Move cookie extraction logic to helper methods --- .../Coordinator/SecurityCoordinator.Core.cs | 13 ++++++++ .../SecurityCoordinator.Framework.cs | 12 +++++++ .../AppSec/Coordinator/SecurityCoordinator.cs | 33 ++++++------------- 3 files changed, 35 insertions(+), 23 deletions(-) diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs index 60b27d1dc241..511f4454c590 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs @@ -8,6 +8,7 @@ #if !NETFRAMEWORK using System.Collections; using System.Collections.Generic; +using System.Linq; using Datadog.Trace.AppSec.Waf; using Datadog.Trace.Headers; using Datadog.Trace.Util.Http; @@ -49,6 +50,18 @@ private static object GetHeaderValueForWaf(StringValues value) return (value.Count == 1 ? value[0] : value); } + private static object GetHeaderValueForWaf(IHeaderDictionary headers, string currentKey) + { + return GetHeaderValueForWaf(headers[currentKey]); + } + + private static void GetCookieKeyValueFromIndex(IRequestCookieCollection cookies, int i, out string key, out string value) + { + var cookie = cookies.ElementAt(i); + key = cookie.Key; + value = cookie.Value; + } + internal void BlockAndReport(IResult? result) { if (result is not null) diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs index 6498c3a9017c..c06a8607125d 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs @@ -469,6 +469,18 @@ private static object GetHeaderValueForWaf(string[] value) return (value.Count() == 1 ? value[0] : value); } + private static object GetHeaderValueForWaf(NameValueCollection headers, string currentKey) + { + return GetHeaderValueForWaf(headers.GetValues(currentKey)); + } + + private static void GetCookieKeyValueFromIndex(HttpCookieCollection cookies, int i, out string key, out string value) + { + var cookie = cookies[i]; + key = cookie.Name; + value = cookie.Value; + } + public Dictionary GetResponseHeadersForWaf() { var response = _httpTransport.Context.Response; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index 66b078938fdb..3fa801bd093d 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -15,7 +15,6 @@ using Datadog.Trace.Util; using Datadog.Trace.Vendors.Serilog.Events; #if !NETFRAMEWORK -using System.Linq; using Microsoft.AspNetCore.Http; #else using System.Collections.Specialized; @@ -171,33 +170,28 @@ public void AddResponseHeadersToSpanAndCleanup() { var cookies = RequestDataHelper.GetCookies(request); - if (cookies != null) + if (cookies is not null) { var cookiesDic = new Dictionary(); for (var i = 0; i < cookies.Count; i++) { -#if NETCOREAPP || NETSTANDARD - var cookie = cookies.ElementAt(i); - var keyForDictionary = cookie.Key; -#else - var cookie = cookies[i]; - var keyForDictionary = cookie.Name; -#endif - if (cookie.Value is not null && keyForDictionary is not null) + GetCookieKeyValueFromIndex(cookies, i, out var keyForDictionary, out var cookieValue); + + if (cookieValue is not null && keyForDictionary is not null) { if (!cookiesDic.TryGetValue(keyForDictionary, out var value)) { - cookiesDic.Add(keyForDictionary, cookie.Value); + cookiesDic.Add(keyForDictionary, cookieValue); } else { if (value is string stringValue) { - cookiesDic[keyForDictionary] = new List { stringValue, cookie.Value }; + cookiesDic[keyForDictionary] = new List { stringValue, cookieValue }; } else if (value is List valueList) { - valueList.Add(cookie.Value); + valueList.Add(cookieValue); } else { @@ -206,6 +200,8 @@ public void AddResponseHeadersToSpanAndCleanup() } } } + + return cookiesDic; } return null; @@ -224,23 +220,14 @@ internal static Dictionary ExtractHeadersFromRequest(IHeaderDict if (!currentKey.Equals("cookie", System.StringComparison.OrdinalIgnoreCase)) { currentKey = currentKey.ToLowerInvariant(); + var value = GetHeaderValueForWaf(headers, currentKey); -#if NETCOREAPP || NETSTANDARD - var value = GetHeaderValueForWaf(headers[currentKey]); -#else - var value = GetHeaderValueForWaf(headers.GetValues(currentKey)); -#endif -#if NETCOREAPP - if (!headersDic.TryAdd(currentKey, value)) - { -#else if (!headersDic.ContainsKey(currentKey)) { headersDic.Add(currentKey, value); } else { -#endif Log.Warning("Header {Key} couldn't be added as argument to the waf", currentKey); } }